Date: Sun, 03 Aug 2008 10:21:31 -0700 From: Doug Barton <dougb@FreeBSD.org> To: freebsd-security@freebsd.org Subject: Re: The BIND scandal Message-ID: <4895E91B.3000002@FreeBSD.org> In-Reply-To: <Pine.LNX.4.64.0808021459580.23103@neptune.sinister.com> References: <Pine.LNX.4.64.0808021459580.23103@neptune.sinister.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Bob is quite obviously trolling for a fight here, and I'm definitely not going to get sucked into that. I would like to point out however that the _DNS_ vulnerability that is currently in wide discussion is not in any way related to BIND, it's a fundamental flaw in the protocol related to response forgery. All major vendors of DNS systems and the IETF working groups on DNS are trying to find a permanent solution for this problem. As a stop-gap measure ISC has adopted the same solution for BIND that has proven effective for other vendors, randomizing the query source port. You can find more information about this issue here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 http://www.kb.cert.org/vuls/id/800113 http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience Hope this helps, Doug -- This .signature sanitized for your protection
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4895E91B.3000002>